Leveraging Log Management to provide business value
1. Leveraging Log Management to
provide business value
The importance of consolidation, correlation, and detection
Enterprise Series
White Paper
8815 Centre Park Drive Published: August 17, 2009
Columbia MD 21045
877.333.1433
3. Leveraging Log Management to provide business value
The Log Management Challenge
In a typical enterprise, millions of logs are generated by systems, applications and devices
every single day. These logs contain a record of all activity that takes place in a network and
provide a wellspring of information to help improve security, enable compliance and
optimize IT operations. However, gaining any actionable intelligence from this data depends
on how well you can collect, consolidate, store and decipher the information that event logs
contain, which is no easy task to do manually given the following constraints:
Collection
As a result of regulatory requirements, companies have to, at a bare minimum, collect and
archive all log data from a number of devices and device types ranging from network and
security devices to operating systems, databases, applications and web logs. Considering that
in most companies the number of devices that generate event logs are in the hundreds or
thousands, and that each device can generate millions of logs every single day, simply
keeping up with the staggering volume can be a challenge. There is also the challenge of
establishing reliability for audit purposes; to demonstrate that logs were collected in a secure
manner.
Storage
In order to facilitate review, many compliance mandates require log data to be stored
securely for on-demand retrieval and historical analysis.
• The NIST guide for HIPAA requires that logs be maintained for 6 years at a
minimum
• Section 103 of Sarbanes Oxley requires that “information related to any audit
report, in sufficient detail to support the conclusions reached in such report” be
maintained for 7 years.
• Section 10.7 of The PCI data security standard requires covered entities to
retains audit trail data for at leat one year with a minimum of 3 months online
availability.
• In addition, the Graham-Leach-Bliley Act, the SANS Institute and various other
best practices recommend that logs and documentation be kept for a varying
number of years.
Normally, a single Windows server can generate over 100,000 events every day without
using the auditing feature. With the audit feature in operation, Windows servers, like many
Prism Microsystems, Inc. 3
4. Leveraging Log Management to provide business value
UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It
is not unusual for even a small organization to generate well over 20 million events every
day. This information needs to be securely archived for IT controls and compliance.
One hundred Windows servers with an average number of 100,000 events each, means a
total of 10 million events per day – and that is without auditing! If these events are kept for
90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the
archive would contain over 3.5 billion separate event records. This can translate into a
significant storage burden, keeping in mind that one million events can take up to 5GB of
space in a traditional database.
Analysis
Analysis remains the third major challenge. The fact is that different devices generate logs in
a distinct, inconsistent and often cryptic format that is difficult to analyze without in-depth
system specific expertise. Also, many of the conditions that indicate issues can only be
detected when events are correlated or associated with events happening on other systems
and devices. If caught in time, these signs can alert personnel to take necessary actions
before security is compromised. Moreover, this analysis needs to be done in real-time for
immediate insight into unusual and suspicious user/network activity – a task that is
impossible to do manually, unless of course, a company has an army of IT experts at its
disposal 24/7.
Prism Microsystems, Inc. 4
5. Leveraging Log Management to provide business value
The case for automated Log Management
It is no wonder that IT managers who grasp the importance of event log data still find the
entire task of event log management a difficult challenge. That’s where SIEM (Security
Information and Event Management) or Log Management solutions come in. An automated
solution will address the challenges outlined in the previous section and help organizations
cost effectively collect, archive, correlate and analyze enterprise-wide log data for security
investigation and compliance reporting.
.
Traditional drivers: Compliance and
Security
A Log Management solution is typically implemented for one or more of the following
reasons:
a) To comply and prove compliance
Log management is typically considered a security best practice, however, a number of
regulations such as SOX, HIPAA, PCI, GLBA and FISM specifically call for the collection,
storage, regular review and analysis of log data. Log Management solutions help companies
wade through the often vague guidelines of compliance requirements with predefined reports
mapped to specific regulatory requirements. A comprehensive Log Management solution
helps you:
• Automate the entire compliance process from securing your environment,
establishing baselines, tracking user activity, alerting to potential violations to
creating audit-ready reports
• Demonstrate to auditors that periodic reviews are being conducted in compliance
with internal and external policies
• Comply with a variety of regulatory standards spanning multiple verticals
b) To detect and prevent and security breaches
Event logs from firewalls, routers, systems and applications provide valuable clues about the
state of a company’s overall security posture. The really important clues, however, are often
very hard to detect and sometimes can only be extracted after viewing series of events on
Prism Microsystems, Inc. 5
6. Leveraging Log Management to provide business value
multiple systems in context. Log Management solutions come with powerful correlation
capabilities that look for patterns of events taking place across the entire enterprise to detect
abnormal activity that may be indicative of an attack in progress.
These solutions help you:
• Detect and prevent damage from Zero-Day and other new forms of attack vectors
• Monitor user activity and USB device usage for unauthorized internal access to
sensitive data
• Monitor networks for suspicious activity that often precedes a security breach
• Create customized correlation rules to detect common and critical security
conditions in real-time.
• React quickly and early to suspicious activity with instant alerts and automatic
remediation for proactive prevention
c) To conduct forensic investigations on security incidents
Log Management solutions support forensic investigations by providing a complete audit
trail of forensically clean data leading up to an attack. Logs can be used to establish a
timeline of events, which can be used to piece together what went wrong, giving a detailed
perspective of what happened, so that steps can be taken to ensure that it does not happen
again.
Leveraging Log Management beyond the
security organization
Beyond security and compliance, Log Management can be applied across the IT
organization to increase the efficiency of IT operations, primarily through increased
visibility into enterprise-wide activity. Log Management solutions not only help in
maintaining the IT infrastructure in optimal shape but also enable planning for future
requirements by monitoring disk space trends, CPU usage trends and service downtime. By
alerting on trends that indicate resource issues such as low disk space, runaway processes,
high-memory usage, etc. an event log management solution significantly improves IT
availability by reducing unplanned outages, while at the same time reducing the total cost of
ownership of the IT infrastructure. Log Management solutions:
• Automate routine tasks and decrease dependence on existing resources
• Enable IT staff to quickly diagnose issues before they escalate into costly
disruptions
• Accelerate troubleshooting times
• Free up personnel to do more productive tasks
Prism Microsystems, Inc. 6
7. Leveraging Log Management to provide business value
Generating business value from Log
Management
From the applications of Log Management detailed above, the business value that Log
Management solutions provide is apparent. Automation of regulatory processes, improved
efficiency of forensic investigations, increased troubleshooting turnaround times and a better
security posture are some of the most important benefits that an organization gains with the
proper implementation of a log management solution.
There are also several lesser known benefits of Log Management that can provide
tremendous business value by addressing critical management areas:
Increased agility
In these tough economic times, the margin for business error is very slim. When services are
IT dependent, unexpected performance issues and security breaches can severely impact a
company’s competitiveness. In addition, lost business and revenue opportunities can result
if, for instance, an order taking system goes down, or if customers are unable to contact you.
An effective log management solution increases your business and IT agility by allowing
you to quickly respond to unexpected situations and problems before performance is affected
or revenue is lost.
Business process improvement
Considering that logs are records of what a system does minute by minute, the right log
management solution can provide a detailed understanding of most aspects of a business,
from how consumers use systems to purchase goods, to identifying operational bottlenecks,
to tracking resource utilizations. The insight that log data provides into business operations,
can help you measure and optimize critical processes.
Prism Microsystems, Inc. 7
8. Leveraging Log Management to provide business value
Business risk mitigation
A security breach can cause long-term damage to corporate reputation. The negative press
resulting from loss of sensitive customer data such as credit card information or social
security numbers can not only create customer distrust and subsequently impact sales and
revenue, but also hinder business relationships and partnerships. On the other hand, the
direct costs associated with clean-up activities after a security incident can also be
substantial. Large fines as a result of non-compliance, identity protection services offered to
affected customers, litigation fees, and civil lawsuits can all add up to a significant chunk of
money.
Log Management solutions substantially reduce the risks and costs associated with security
breaches by proactively detecting patterns indicative of a breach and enabling personnel to
perform remediation activities before costly damage is caused.
Enhanced team communication and
collaboration
IT typically operates through specialized teams to manage security threats, optimize network
performance and enable compliance. These groups deploy point products within each of
their areas to meet their independent requirements, and while this approach is beneficial for
addressing department-specific objectives, it creates silos of data that hinder cross-
departmental collaboration and decision making. Log Management solutions enable cross-
functional communication and information sharing by seamlessly weaving together
information on all IT assets into an integrated framework that provides intelligence and
insight into enterprise-wide activity for effective decision making.
Increased management visibility
Executive Management benefits from dashboards and reports that provide visibility into
cross-departmental activities such as operational and security metrics, corporate governance,
and regulatory initiatives. Summary reports and analysis capabilities allow them to make a
quick assessment of progress and get an overview of the overall IT posture.
Prism Microsystems, Inc. 8
9. Leveraging Log Management to provide business value
Reduced costs
Log Management solutions accelerate the time to identifying critical security and
performance issues to significantly reduce costs associated with service disruptions, security
breaches and non-compliance. With the automation of compliance processes and predefined
reports, the costs associated with preparing for audits and remaining in compliance are also
significantly reduced.
In addition, Log Management solutions help increase service levels without increasing staff
and reduce burdens on existing resources by automating routine tasks. In times of tightening
budgets and staff cuts, Log Management helps companies do more with less by addressing
multiple requirements across departments.
Prism Microsystems, Inc. 9
10. Leveraging Log Management to provide business value
Conclusion
Log Management solutions although typically deployed to meet very specific requirements,
have benefits that extend far beyond department level objectives. With the insight that log
data provides into enterprise-wide IT, a growing number of constituents can benefit from a
solution that automates the collection, consolidation and analysis of this data – these range
from audit and compliance groups, security teams, IT operations and Helpdesk teams to
legal teams (for forensic investigation), senior management and CIO’s.
Prism Microsystems, Inc. 10
11. Leveraging Log Management to provide business value
About EventTracker
EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM)
solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP
V1/2, legacy systems, applications and databases. EventTracker enables “defense in depth”, where
log data is automatically collected, correlated and analyzed from the perimeter security devices
down to the applications and databases. To prevent security breaches, Event Log data becomes
most useful when interpreted in near real time and in context. Context is vitally important because
often the critical indications of impending problems and security violations can only be learned by
watching patterns of events across multiple systems. Complex rules can be run on the event stream
to detect signs of such a breach. EventTracker also provides real-time alerting capability in the
form of an email, page or SNMP message to proactively alert security personnel to an impending
security breach.
The original log data is also securely stored in a highly compressed event repository for compliance
purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting
interface, scheduled or on-demand report generation, automated compliance workflows that prove
to auditors that reports are being reviewed and many other features. With pre-built auditor grade
reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and
more); EventTracker represents a compliance solution that is second to none. EventTracker also
provides advanced forensic capability where all the stored logs can be quickly searched through a
powerful Google-like search interface to perform quick problem determination.
EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92
Guide To Computer Security Log Management, and additionally provides Host Based Intrusion
Detection , Change Monitoring and USB activity tracking on Windows systems, all in an off the
shelf, affordable, software solution.
EventTracker provides the following benefits
• A highly scalable, component-based architecture that consolidates all Windows, SNMP
V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical
UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and
various other SYSLOG generating devices.
• Automated archival mechanism that stores activities over an extended period to meet
auditing requirements. The complete log is stored in a highly compressed (>90%),
secured (Sealed with SHA-1 checksum) archive that is limited only by the amount of
available disk storage.
• Real-time monitoring and parsing of all logs to analyze user activities such as logon
failures and failed attempts to access restricted information.
• Alerting interface that generates custom alert actions via email, pager, console
message, etc.
Prism Microsystems, Inc. 11
12. Leveraging Log Management to provide business value
• Event correlation modules to constantly monitor for malicious hacking activity. In
conjunction with alerts, this is used to inform network security officers and security
administrators in real time. This helps minimize the impact of breaches.
• Various types of network activity reports, which can be scheduled or generated as
required for any investigation or meeting audit compliances.
• Host-based Intrusion Detection (HIDS).
• Role-based, secure event and reporting console for data analysis.
• Change Monitoring on Windows machines
• USB Tracking, including restricted use, insert/removal recording, and a complete audit
trail of all files copied to the removable device.
• Built-in compliance workflows to allow inspection and annotation of the generated
reports.
Prism Microsystems, Inc. 12
13. Leveraging Log Management to provide business value
About Prism Microsystems
Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect
changes that could impact the performance, availability and security of your IT infrastructure. With
a proven history of innovation and leadership, Prism provides easy-to-deploy products and
solutions for integrated Security Management, Change Management and Intrusion Detection.
EventTracker, Prism’s market leading enterprise log management solution, enables commercial
enterprises, educational institutions and government organizations to increase the security of their
environments and reduce risk to their enterprise. Customers span multiple sectors including
financial, communications, scientific, healthcare, banking and consulting.
Prism Microsystems was formed in 1999 and is a privately held corporation with corporate
headquarters in the Baltimore-Washington high tech corridor. Research and development facilities
are located in both Maryland and India. These facilities have been independently appraised in
accordance with the Software Engineering Institute’s Appraisal Framework, and were deemed to
meet the goals of SEI Level 3 for CMM.
For additional information, please visit http://www.prismmicrosys.com/.
Prism Microsystems, Inc. 13